For example, in Wireshark, I first tried to have Wireshark ignore the netmon_filter packet (right-click then Ignore/Unignore Packet) and then see if " Save As." was active, but it still wasn't. There may be other ways to accomplish this, but this was the only method that I could come up with. For example: capinfos -E NetMon34.capĮncapsulation in use by packets (# of pkts): You can check/compare file information using capinfos and see the problem with multiple encapsulations in the original file, only a single encapsulation in the file with the netmon_filter packet removed, and finally with a different encapsulation after I used Save As." to save the file as a pcap file instead of a netmon2 file. Open the new NetMon34_2-.cap file in Wireshark. This will remove packet 1 from the NetMon34.cap file, which is the aforementioned netmon_filter packet, and write the remaining packets to the NetMon34_2-.cap file, which will be saved as a netmon2 file type, which is the only type that seems to work (in my testing at least I did not attempt every possible format). Remove the netmon_filter packet using editcap:Įditcap -F netmon2 NetMon34.cap NetMon34_2-.cap 1 It certainly doesn't hurt to be sure though.) (Perhaps it's always packet 1, and only packet 1, that is the problematic packet in these types of files, in which case this step might not be strictly necessary. In the case of the NetMon34.cap file, only packet 1 matched the filter, so we need to remove it. Open the capture file in Wireshark and apply the netmon_filter display filter to find all problematic packets.I did manage 1 solution though, which I'll describe using the NetMon34.cap file as an example: For this particular file, the problematic packet appears to be the very first one, which is a netmon_filter packet. I believe it's still applicable, and I've verified it with at least 1 capture file, NetMon34.cap, from the Wireshark menagerie and Wireshark master, specifically Version 2.9.1 (v2.9.1rc0-634-gcdfc56b3). Without further information, I'm going to assume that you're working with a Microsoft Network Monitor cap file, and in that case, you may want to refer to this question.
0 kommentar(er)
